Policy about network-listening daemons running as root?
Daniel J Walsh
dwalsh at redhat.com
Tue May 22 16:52:43 UTC 2007
Hans de Goede wrote:
> Konstantin Ryabitsev wrote:
>> Hi, all:
>>
>> Do we have a policy about network-listening daemons not running as
>> root? Not according to my perusal of fedoraproject.org, but I wanted
>> to verify in case it's one of the "unwritten rules."
>>
>
> This clearly falls under the unwritten use your common sense rule. IOW
> no daemon / service should run as root unless it absolutely must, and
> when not running as root it should have its own user, not use a system
> user shared with other daemons.
>
> Regards,
If it runs as root, it should drop capabilities that it does not need,
and it should have an SELinux policy to confine it. Of course if it
runs as non-root, it should have an SELinux policy to confine it.
These are shoulds not musts.
>
> Hans
>
> --
> Fedora-maintainers mailing list
> Fedora-maintainers at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-maintainers
More information about the Fedora-maintainers
mailing list